Welcome to the VLAN miniseries, where we are going
to start from the very basics and progress towards more advanced setups for experienced network
engineers. If you are new to the term VLAN and you are wondering what even is that then in this
video, you will get all your answers and more! VLANs are great if you are looking for an
efficient and secure way to set up your networks, they are especially handy if you need
to isolate different people or different devices and you want your setup to be
easily adjustable. VLANs allow for more affordable setups as you might be able to
replace some of your routers with switches. But even if you are not a network engineer
for a big company, they might still come in handy in your home network. Some use
it for their wireless to separate guest devices or IoT devices from their home network.
Personally, my favorite use case is to take a single ethernet port that I have on a computer
like this laptop and split it into multiple. VLAN stands for virtual LAN and VLANs basically
allow us to divide LAN into multiple isolated segments. To best explain them I will need to talk
a little bit about local area networks. Typically when you think of LAN, you are probably thinking
of some broad definition, like a private network that is confined to a physical location –
a building or some small area. An image of an office comes to mind where IP addressing is
established and you either have all your devices on a single IP network, or you split them up in
groups using subnets or multiple local network address ranges. But the term LAN actually refers
to more than the physical proximity of devices or the IP configuration. In these videos, we
will define LAN as a single broadcast domain. What that means is that any two devices (laptop,
CRS) that are physically connected and have established a data link, are on the same LAN.
Because they can now exchange network frames using MAC addressing and if one were to send
a frame destined to the broadcast MAC address, the other one would receive it as they are in
the same broadcast domain. And furthermore, if the device receiving the broadcast frame (CRS)
is a simple switch or a router with bridged ports, it will further send this broadcast frame to
a number of connected devices. So if a third device can receive this frame, it is also in
the same broadcast domain and in the same LAN. Now let’s say we want to add another (fourth)
device, but we want to isolate it from the third one. Well, we could simply not put them
in the same bridge, and as a result, they will be in separate broadcast domains and essentially
separate LANs. But the L009 here would also be isolated from the first device (laptop). So we
would have four devices in the same local area, all connected, but there would be two LANs
that are separated on layer2, the data link layer. They could still be configured to have
IPs and communicate through routing the network layer packets, but the CPU on the CRS in the
middle might have to do some work because it would now have to act as a gateway where it has to
consider the routing table and the firewall rules. We could improve this setup with VLANs and there
are actually several ways to do that both in terms of the VLAN topology and in how we configure
our Mikrotik devices. The best configuration will depend on what you need to accomplish and
on what switch chip is housed in your device. So what do I want to accomplish? I want my laptop
to have layer2 connectivity with the hap ac2, but not have them all in the same broadcast domain,
so that I can do things like, run netinstall and have winbox access without a configured IP. I
want my laptop to exchange layer2 frames like ARP and MNDP with the hap ac, but keep it isolated
from the L009. So what can I do here? There is only one physical connection from the laptop! I
need to split it virtually into two using VLANs. We are starting with no existing configuration and
I will show you the most basic VLAN configuration possible, even though it will not be the
most efficient one for this particular CRS, as it will not take advantage of hardware
offloading but it is the most simple option and it will work on literally any RotuerOS
device. The configuration on SwOS is obviously different and I will not get into that for now as
we already have a good video on configuring VLANS in SwOS by Edgars who is an expert on the VLAN
topic, I am actually consulting with him myself. Alright, on the CRS go to the interface VLAN
section. There we can add a new interface with the name of our liking, I prefer to just name them
VLAN followed by the VLAN id I will use. The range you should use for these IDs is from 2 to 4094.
ID 1 is usable as well, but it has a special purpose in some equipment. And then the interface
in this case is the one connected to the laptop. That’s how easy it is to create a couple
of VLAN interfaces. Now any frames that we send to these will have VLAN tags inserted into
their frame structure and the altered frames will exit the ether24 interface. Similarly,
VLAN-tagged traffic coming into the ether24 interface will have their tags removed and the
frames will be sent out to the appropriate VLAN interfaces untagged, but at this point,
they don’t lead to anything just yet. To help you further understand this topic, I will
give you a quick brief on VLAN tags. A typical layer2 frame has a very specific structure
that was designed at the very beginning of the ethernet protocol. Every single piece of
network equipment is expecting that when it receives a frame and it reads it bit by bit that
the first six octets a.k.a bytes are going to be the MAC destination address, the next six octets
will be the MAC source address and after that, there will be 2 octets containing EtherType which
indicates what kind of payload is encapsulated. Now VLAN tags were a later invention,
and when they are used they change this structure by essentially inserting a 4-octet
VLAN header before this regular EtherType. Since this is altering the very fabric of
ethernet, we have to respect that VLAN tags can lead to all sorts of unexpected behaviors.
First of all, if you incorrectly add or don’t add this tag. When VLANs are not configured on a
piece of networking equipment and it receives a frame with a VLAN tag, it will simply drop it. So
that means that not only will it break the network or IP layer, but it will also break other layer2
protocols, such as ARP and network discovery. Similarly, adding a VLAN tag where there shouldn’t
be any can also cause problems, for example, the spanning tree protocol and its derivatives like
RSTP. Those protocols rely on sending out special frames out of all the bridged or switched ports
so that other devices that receive them can detect potential traffic loops before they occur and
manage their own physical ports to prevent that. It is generally a good idea to use them as
accidents happen, you plug the wrong cable in the wrong port and all of a sudden your whole
network becomes unresponsive due to a traffic loop. Spanning tree prevents that! The problem
here is that adding VLAN tags to these special frames can completely break those protocols. So
we have to be mindful about how we handle them. On that note, let’s bridge one of our newly created VLAN interfaces to
a physical ethernet port. When we create a bridge, by default it is
set to protocol mode RSTP. And in this case, the protocol will be pretty broken because the
tagged RSTP frames will be ignored when received at a physical port, and further they might get
untagged and spewed out other bridged ports. In the next video, we will learn to handle
our networks using VLAN-aware bridging, or as we call it VLAN-filtering. It will
allow us to use VLANs in conjunction with the spanning tree protocols, but at this time
we simply have to disable RSTP on our bridge. Next, we can add the ports as usual and now
we will be able to use this VLAN for layer2 protocols, but this is a very crude way of doing
things. In addition to losing the spanning tree, we also cannot benefit from hardware offloading
in this manner, so it is generally not advised to do it this way. VLAN filtering will be a
much more efficient method for the CRS326. The VLAN interface method we are using now is more
suitable for routing. The interfaces we create are a lot like physical interfaces. Instead
of just bridging, we can assign IP addresses, set up DHCP servers, and firewalls, and
basically do any other layer3 stuff we need. So we will use routing for vlan20,
but first, let's finish up with vlan10. All that is left to do to make it functional is
to handle the VLAN tag 10 on the laptop. Funny enough this can easily be done from the
GUI both in linux and mac, but in windows you will likely have to use PowerShell.
Anyhow, in NetworkManager GUI, it will look something like this. Open up the network settings
and click the add button, select VLAN. Then select the parent interface, and enter the VLAN id
and name. Finally, if there is no DHCP server running on the VLAN that you are connecting to,
make sure to add some local address, otherwise, linux will not route layer2 frames correctly
even if you are not using IP addressing. If I now check winbox neighbors, you can see that
there is another device besides the CRS that I can connect to using its MAC address, because layer2
traffic can successfully run through the VLAN. The hAP ac at the other end can operate as
usual without any knowledge of the existence of VLAN in this network – it will know that it is
connected to the CRS and it will see whatever is at the other end of this VLAN. We could even
netinstall it from the laptop if we wanted. Now let’s do a routed setup for vlan20,
so that you can see the difference. To make that happen I will just set up static
routing with the CRS as the gateway. I need to assign an IP address to vlan20 from one network
and an address from another network to ether8. Then connect to the L009 and assign an
IP from the same network as ether8. Also, set the CRS as the default gateway. After
that add a new VLAN on the computer, just like we did it before, but this
time in the Ipv4 section we need to use an IP from the correct network and
we also have to set a route to the L009. This time when I open winbox,
there again is another entry, but it is to the CRS. We cannot receive the
network discovery packets from the L009 in this manner, however, if we manually enter
its IP, we can now connect through vlan20. In conclusion here is what we have done – we took
what would be a single broadcast domain and a single port for the laptop and virtually divided
it. We did not create a trunk port however, it is more like a hybrid port – we can use the
two virtual broadcast domains along with the regular network connection. Which is still
functional and as long as the VLANS are not being used at the same time can still
be operated with the same throughput. I hope you make use of this and stay tuned
for the next video on VLANs where we will do more advanced configurations with proper
trunk and access ports. Right now all three devices connected to the CRS can see it, but
in the next one, the CRS will become invisible! If you enjoyed this, make sure to like,
subscribe and leave a comment or two, so that the algorithm knows this was good
stuff and I will see you in the next one!
